[标 题]
[原创][.NET][爆破]我的Microsoft Math 3.0激活之路
[作 者]
快雪时晴,2007年6月16日
[目 标]
在CNBeta看到一则新闻:
Microsoft Math 3.0 试用版发布啦!
CB_Freshman发布于 2007-06-14 06:54:32|3185 次阅读 字体:大 小 打印预览
来源:AppBeta
微软推出的Math工具提供了强大的数学工具,尤其适合学生和教师,可以帮助他们逐步解方程,更好的理解代数学、几何学、物理、化学和微积分等。
(该软件为收费软件,30天试用时间)
Math的界面左侧被设计成一个计算器模型,右侧则是主要的显示区域。主要功能有:
1、图形化计算器:具有广泛的图形和解方程能力,具有制作2D和增强的3D彩色图形功能,有助于人们可视化解决问题并理解概念。
2、逐步解方程:从基本的数学问题到微积分,可以解决许多数学问题。
3、公式和方程库:具有100多个常用方程和公式。
4、解三角形。
5、单位换算。
6、新:支持Tablet和Ultra-Mobile PC的数字墨水技术,可以通过手写解决许多Math可以识别的问题。
提示:Math是收费软件,这个是30天试用版。
每次程序运行都会提示,30天后必须输入25位产品序列ID。
下载地址:http://msft-dnl.digitalrivercontent.net/msoffice/pub/X13-66853/X13-66853.exe
oh-yeah,就是它!
[工 具]
PEID、OllyICE、010Editor、Reflector、ILDasm、
ILAsm、SN.exe、SNRemove、SNReplace.exe、StrongName Patcher、
Abel_Load231、DUP2.15final
PEBrowseDbg_pro
[平 台]
EN-WINXPSP2+MUI
.Net Framwork v2.0.50727
[第一部分] 探究关键代码
主程序MATHAPP.EXE为.NET程序,当然首先采用静态分析方法了(动态调试还不熟悉,工具和参考资料都远不及WIN32 PE)。
微软的东西就是好,不加壳,没有应用代码混淆,很快就找到关键地方。
===============================================Reflector逆向情况========================================================
private static void Main(string[] args);
Declaring Type: Microsoft.MicrosoftMath.Application.AppMain
Assembly: MathApp, Version=3.0.1184.1020
[STAThread]
private static void Main(string[] args)
{
Application.SetUnhandledExceptionMode(UnhandledExceptionMode.ThrowException);
AppDomain.CurrentDomain.UnhandledException += new UnhandledExceptionEventHandler(AppMain.OnUnhandledException);
ResManager.InitializeMinimum();
SingleInstance.AppName = (ResManager.SKU == null) ? "EncCalc" : ("EncCalc-" + ResManager.SKU);
if (SingleInstance.CheckSingleInstance(args, false, true) == SingleInstanceState.AlreadyRunning)
{
return;
}
AppResManager.Initialize();
AppDrawingInfo.Initialize();
uint dwGraceTime = 0;
AppResManager.Activated = NativeMethods.CheckLicenseStatus(ResManager.SKU, out dwGraceTime) != 0;
if (!CheckEula())
{
return;
}
CheckSQM();
if (!AppResManager.VerifyMSCertificate(Path.Combine(ResManager.AppDirectory, "MathRichEditNative.dll")))
{
AppResManager.ExitApp();
}
if (!AppResManager.Activated)
{
string pszProdKey = null;
switch (NativeMethods.ShowActivationWizard(IntPtr.Zero, pszProdKey, 0, dwGraceTime, ResManager.SKU))
{
case 0:
case 0xc000000c:
case 0xf000000e:
AppResManager.Activated = NativeMethods.CheckLicenseStatus(ResManager.SKU, out dwGraceTime) != 0;
if ((dwGraceTime == 0) && !AppResManager.Activated)
{
AppResManager.ExitApp();
}
goto Label_00FB;
}
if (dwGraceTime == 0)
{
AppResManager.ExitApp();
}
}
Label_00FB:
Application.ApplicationExit += new EventHandler(AppMain.OnApplicationExit);
Application.Idle += new EventHandler(AppMain.OnApplicationIdle);
Application.EnableVisualStyles();
MainForm mainForm = new MainForm();
mainForm.SetCommandArgs(args);
Application.Run(mainForm);
}
====================================ILDASM 显示情况========================================================
.method private hidebysig static void Main(string[] args) cil managed
// SIG: 00 01 01 1D 0E
{
.entrypoint
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Method begins at RVA 0xb80c
// Code size 313 (0x139)
.maxstack 5
.locals init (valuetype [MathControls]Microsoft.MicrosoftMath.Controls.SingleInstanceState V_0,
uint32 V_1,
string V_2,
uint32 V_3,
class Microsoft.MicrosoftMath.Application.MainForm V_4)
IL_0000: /* 17 | */ ldc.i4.1
IL_0001: /* 28 | (0A)0001DD */ call void [System.Windows.Forms]System.Windows.Forms.Application::SetUnhandledExceptionMode(valuetype [System.Windows.Forms]System.Windows.Forms.UnhandledExceptionMode)
IL_0006: /* 28 | (0A)0001DE */ call class [mscorlib]System.AppDomain [mscorlib]System.AppDomain::get_CurrentDomain()
IL_000b: /* 14 | */ ldnull
IL_000c: /* FE06 | (06)00009C */ ldftn void Microsoft.MicrosoftMath.Application.AppMain::OnUnhandledException(object, class [mscorlib]System.UnhandledExceptionEventArgs)
IL_0012: /* 73 | (0A)0001DF */ newobj instance void [mscorlib]System.UnhandledExceptionEventHandler::.ctor(object,native int)
IL_0017: /* 6F | (0A)0001E0 */ callvirt instance void [mscorlib]System.AppDomain::add_UnhandledException(class [mscorlib]System.UnhandledExceptionEventHandler)
IL_001c: /* 28 | (0A)0001E1 */ call void [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::InitializeMinimum()
IL_0021: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_0026: /* 2C | 11 */ brfalse.s IL_0039
IL_0028: /* 72 | (70)0006A9 */ ldstr "EncCalc-"
IL_002d: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_0032: /* 28 | (0A)000091 */ call string [mscorlib]System.String::Concat(string,string)
IL_0037: /* 2B | 05 */ br.s IL_003e
IL_0039: /* 72 | (70)0006BB */ ldstr "EncCalc"
IL_003e: /* 28 | (0A)0001E3 */ call void [MathControls]Microsoft.MicrosoftMath.Controls.SingleInstance::set_AppName(string)
IL_0043: /* 02 | */ ldarg.0
IL_0044: /* 16 | */ ldc.i4.0
IL_0045: /* 17 | */ ldc.i4.1
IL_0046: /* 28 | (0A)0001E4 */ call valuetype [MathControls]Microsoft.MicrosoftMath.Controls.SingleInstanceState [MathControls]Microsoft.MicrosoftMath.Controls.SingleInstance::CheckSingleInstance(string[],bool,bool)
IL_004b: /* 0A | */ stloc.0
IL_004c: /* 06 | */ ldloc.0
IL_004d: /* 17 | */ ldc.i4.1
IL_004e: /* 33 | 01 */ bne.un.s IL_0051
IL_0050: /* 2A | */ ret
IL_0051: /* 28 | (06)00027A */ call void Microsoft.MicrosoftMath.Application.AppResManager::Initialize()
IL_0056: /* 28 | (06)00009E */ call void Microsoft.MicrosoftMath.Application.AppDrawingInfo::Initialize()
IL_005b: /* 16 | */ ldc.i4.0
IL_005c: /* 0B | */ stloc.1
IL_005d: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_0062: /* 12 | 01 */ ldloca.s V_1
*********************************************************
*二进制搜索定位(共2处):1201281304000616FE0116FE0128
*********************************************************
IL_0064: /* 28 | (06)000413 */ call uint32 Microsoft.MicrosoftMath.Application.NativeMethods::CheckLicenseStatus(string,uint32&)
IL_0069: /* 16 | */ ldc.i4.0
IL_006a: /* FE01 | */ ceq
IL_006c: /* 16 | */ ldc.i4.0
IL_006d: /* FE01 | */ ceq
IL_006f: /* 28 | (06)00026D */ call void Microsoft.MicrosoftMath.Application.AppResManager::set_Activated(bool)
IL_0074: /* 28 | (06)000099 */ call bool Microsoft.MicrosoftMath.Application.AppMain::CheckEula()
IL_0079: /* 2D | 01 */ brtrue.s IL_007c
IL_007b: /* 2A | */ ret
IL_007c: /* 28 | (06)000098 */ call void Microsoft.MicrosoftMath.Application.AppMain::CheckSQM()
IL_0081: /* 28 | (0A)0001E5 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_AppDirectory()
IL_0086: /* 72 | (70)0006CB */ ldstr "MathRichEditNative.dll"
IL_008b: /* 28 | (0A)0001E6 */ call string [mscorlib]System.IO.Path::Combine(string, string)
IL_0090: /* 28 | (06)000291 */ call bool Microsoft.MicrosoftMath.Application.AppResManager::VerifyMSCertificate(string)
IL_0095: /* 2D | 05 */ brtrue.s IL_009c
IL_0097: /* 28 | (06)000292 */ call void Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
IL_009c: /* 28 | (06)00026C */ call bool Microsoft.MicrosoftMath.Application.AppResManager::get_Activated()
IL_00a1: /* 2D | 58 */ brtrue.s IL_00fb
IL_00a3: /* 14 | */ ldnull
IL_00a4: /* 0C | */ stloc.2
IL_00a5: /* 7E | (0A)0001E7 */ ldsfld native int [mscorlib]System.IntPtr::Zero
IL_00aa: /* 08 | */ ldloc.2
IL_00ab: /* 16 | */ ldc.i4.0
IL_00ac: /* 07 | */ ldloc.1
IL_00ad: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_00b2: /* 28 | (06)000414 */ call uint32 Microsoft.MicrosoftMath.Application.NativeMethods::ShowActivationWizard(native int,string,uint32,uint32,string)
IL_00b7: /* 0D | */ stloc.3
IL_00b8: /* 09 | */ ldloc.3
IL_00b9: /* 2C | 10 */ brfalse.s IL_00cb
IL_00bb: /* 09 | */ ldloc.3
IL_00bc: /* 20 | 0C0000C0 */ ldc.i4 0xc000000c
IL_00c1: /* 2E | 08 */ beq.s IL_00cb
IL_00c3: /* 09 | */ ldloc.3
IL_00c4: /* 20 | 0E0000F0 */ ldc.i4 0xf000000e
IL_00c9: /* 33 | 28 */ bne.un.s IL_00f3
IL_00cb: /* 28 | (0A)0001E2 */ call string [MathControls]Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
IL_00d0: /* 12 | 01 */ ldloca.s V_1
IL_00d2: /* 28 | (06)000413 */ call uint32 Microsoft.MicrosoftMath.Application.NativeMethods::CheckLicenseStatus(string, uint32&)
IL_00d7: /* 16 | */ ldc.i4.0
IL_00d8: /* FE01 | */ ceq
IL_00da: /* 16 | */ ldc.i4.0
IL_00db: /* FE01 | */ ceq
IL_00dd: /* 28 | (06)00026D */ call void Microsoft.MicrosoftMath.Application.AppResManager::set_Activated(bool)
IL_00e2: /* 07 | */ ldloc.1
IL_00e3: /* 2D | 16 */ brtrue.s IL_00fb
IL_00e5: /* 28 | (06)00026C */ call bool Microsoft.MicrosoftMath.Application.AppResManager::get_Activated()
IL_00ea: /* 2D | 0F */ brtrue.s IL_00fb
IL_00ec: /* 28 | (06)000292 */ call void Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
IL_00f1: /* 2B | 08 */ br.s IL_00fb
IL_00f3: /* 07 | */ ldloc.1
IL_00f4: /* 2D | 05 */ brtrue.s IL_00fb
IL_00f6: /* 28 | (06)000292 */ call void Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
IL_00fb: /* 14 | */ ldnull
IL_00fc: /* FE06 | (06)00009A */ ldftn void Microsoft.MicrosoftMath.Application.AppMain::OnApplicationExit(object, class [mscorlib]System.EventArgs)
IL_0102: /* 73 | (0A)000020 */ newobj instance void [mscorlib]System.EventHandler::.ctor(object, native int)
IL_0107: /* 28 | (0A)0001E8 */ call void [System.Windows.Forms]System.Windows.Forms.Application::add_ApplicationExit(class [mscorlib]System.EventHandler)
IL_010c: /* 14 | */ ldnull
IL_010d: /* FE06 | (06)00009B */ ldftn void Microsoft.MicrosoftMath.Application.AppMain::OnApplicationIdle(object, class [mscorlib]System.EventArgs)
IL_0113: /* 73 | (0A)000020 */ newobj instance void [mscorlib]System.EventHandler::.ctor(object,native int)
IL_0118: /* 28 | (0A)0001E9 */ call void [System.Windows.Forms]System.Windows.Forms.Application::add_Idle(class [mscorlib]System.EventHandler)
IL_011d: /* 28 | (0A)0001EA */ call void [System.Windows.Forms]System.Windows.Forms.Application::EnableVisualStyles()
IL_0122: /* 73 | (06)00047C */ newobj instance void Microsoft.MicrosoftMath.Application.MainForm::.ctor()
IL_0127: /* 13 | 04 */ stloc.s V_4
IL_0129: /* 11 | 04 */ ldloc.s V_4
IL_012b: /* 02 | */ ldarg.0
IL_012c: /* 6F | (06)0004B2 */ callvirt instance void Microsoft.MicrosoftMath.Application.MainForm::SetCommandArgs(string[])
IL_0131: /* 11 | 04 */ ldloc.s V_4
IL_0133: /* 28 | (0A)0001EB */ call void [System.Windows.Forms]System.Windows.Forms.Application::Run(class [System.Windows.Forms]System.Windows.Forms.Form)
IL_0138: /* 2A | */ ret
} // end of method AppMain::Main
[第二部分] 找下手的地方
用二进制编辑器010Editor搜索:
1201281304000616FE0116FE0128
查到两处,只改第一处即可使AppResManager.Activated为真。
简单问题不简单,改后保存,程序异常退出拒绝运行。
用PEBrowdbg调试,修改后的主程序(不管是IL patch,还是强名去除,或是强名替换)在加载过程中异常,说明是.NET检测到程序被修改了。
这都是强名保护干的好事了,RSA1024保护着,要破解得到正确产品ID看来不可能了。
去强名吧,网上似乎谈的也多。
下了好几个工具,比如SNRemover,SNReplacer等等,都不行,难道微软的.NET Framework对这些小动作有了新anti功能。
我没有去试直接修改.net平台检测强名签名的程序,那样影响整个.net平台的安全性,不大好。
办法总是有,生活从来不缺少意外,当然也包括惊喜。
====================================================================================================
注意到注册验证模块在MathRichEditNative.dll(本地方法)中:
名称位于 MathRich, 条目 25
地址=4745650C
区段=.text
类型=输出
名称=CheckLicenseStatus
用PEID检测MathRichEditNative.dll,显示Armidillo壳,????似乎不太可能吧,这不是微软的作风。
我就不把它当有壳,呵呵。
用OllyICE加载,CTRL+N,输入输出函数都很齐全摆那,应该是PEid误报了。
更重要的一点是该dll没有自校验,那修改起来就省去很多麻烦了。
该输出函数似乎没干什么正事,可能只是.net IMPORT外部dll的一个COM接口代码而已,实际代码需要继续跟下去。
4745650C >/$ 51 push ecx
4745650D |. 8D6424 FC lea esp, dword ptr [esp-4]
47456511 |. 890C24 mov dword ptr [esp], ecx
47456514 |. 8D0D D1634547 lea ecx, dword ptr [474563D1]
4745651A |. 8D89 6D010000 lea ecx, dword ptr [ecx+16D]
47456520 |. 894C24 04 mov dword ptr [esp+4], ecx
47456524 |. 8D0D 38815247 lea ecx, dword ptr [47528138]
4745652A |. 8D89 5C010000 lea ecx, dword ptr [ecx+15C]
47456530 |. 8D6424 FC lea esp, dword ptr [esp-4]
47456534 |. 890C24 mov dword ptr [esp], ecx
47456537 |. 8B4C24 04 mov ecx, dword ptr [esp+4]
4745653B \. C2 0400 retn 4
堆栈:(ESP--〉0012F430)
0012F430 00A7B2B1 返回到 00A7B2B1
0012F434 013E6920 UNICODE "G07ASTRC"
0012F438 0012F474
根据堆栈指示直接来到这里:(retn 4不会立即返回00A7B2B1)
00A7B2AF FF10 call dword ptr [eax]
00A7B2B1 C643 08 01 mov byte ptr [ebx+8], 1
//在OllyICE中手动修改EAX=1,函数返回真,程序变成已经激活!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//---------------------------------------但如何修改呢?请注意这里是动态申请的内存空间
00A7B2B5 833D F017387A 00 cmp dword ptr [7A3817F0], 0
当然也可以逐级返回跟踪:
036D0266 E8 91903BFD call 00A892FC
036D026B 85C0 test eax, eax
//返回这里
036D026D 0F95C2 setne dl
036D0270 0FB6D2 movzx edx, dl
036D0273 8815 6C35A800 mov byte ptr [A8356C], dl
做内存补丁的时候把
setne dl
修改为
sete dl
OD加载.NET程序时最初停在kernel.dll领空,因为.net程序是类似java虚拟机/vb一样从中间字节码
解释执行的,这时候程序二进制代码还没有产生(感觉没还脱壳一样)。
不知道做出来的内存补丁loader能不能跨平台,或许不同机器不同的.net平台版本会申请不同的内存地址,
以至于补丁地址不一样。
^^^^^^想法总是好的,但制作内存补丁的路子似乎有点坎坷而且没有成功,一切源于.NET以及其强名保护(STRONG NAME)
我没找到用现有的loader制作工具似乎难以定位啥时候打补丁,如何针对动态内存打。
先继续看看上面跟踪到的这段代码:
036D024C FF15 8872A800 call dword ptr [A87288]
036D0252 FF15 E87CA800 call dword ptr [A87CE8]
036D0258 33D2 xor edx, edx
036D025A 8955 F4 mov dword ptr [ebp-C], edx
036D025D 8B0D 14343E02 mov ecx, dword ptr [23E3414]
036D0263 8D55 F4 lea edx, dword ptr [ebp-C]
036D0266 E8 91903BFD call 00A892FC //********************
036D026B 85C0 test eax, eax
036D026D 0F95C2 setne dl
036D0270 0FB6D2 movzx edx, dl
036D0273 8815 6C35A800 mov byte ptr [A8356C], dl
036D0279 FF15 6036A800 call dword ptr [A83660]
036D027F 85C0 test eax, eax
036D0281 75 05 jnz short 036D0288
036D0283 59 pop ecx
036D0284 5E pop esi
036D0285 5F pop edi
036D0286 5D pop ebp
036D0287 C3 retn
036D0288 FF15 5C36A800 call dword ptr [A8365C]
036D028E 8B0D 2C343E02 mov ecx, dword ptr [23E342C]
036D0294 8B15 D07B3E02 mov edx, dword ptr [23E7BD0]
036D029A E8 2DECCA75 call mscorlib.7937EECC
036D029F 8BC8 mov ecx, eax
036D02A1 FF15 E472A800 call dword ptr [A872E4]
036D02A7 85C0 test eax, eax
036D02A9 75 13 jnz short 036D02BE
036D02AB E8 105B9F77 call System_W.7B0C5DC0
036D02B0 E8 F343F976 call System_n.7A6646A8
036D02B5 8BC8 mov ecx, eax
036D02B7 3909 cmp dword ptr [ecx], ecx
036D02B9 E8 AE771A77 call System_n.7A877A6C
036D02BE 803D 6C35A800 0>cmp byte ptr [A8356C], 0
036D02C5 0F85 7F000000 jnz 036D034A
036D02CB 6A 00 push 0
036D02CD FF75 F4 push dword ptr [ebp-C]
036D02D0 FF35 14343E02 push dword ptr [23E3414]
036D02D6 33D2 xor edx, edx
036D02D8 33C9 xor ecx, ecx
036D02DA E8 29903BFD call 00A89308
036D02DF 85C0 test eax, eax
036D02E1 74 0E je short 036D02F1
036D02E3 3D 0C0000C0 cmp eax, C000000C
036D02E8 74 07 je short 036D02F1
036D02EA 3D 0E0000F0 cmp eax, F000000E
036D02EF 75 40 jnz short 036D0331
036D02F1 8B0D 14343E02 mov ecx, dword ptr [23E3414]
036D02F7 8D55 F4 lea edx, dword ptr [ebp-C]
036D02FA E8 FD8F3BFD call 00A892FC //********************
036D02FF 85C0 test eax, eax
036D0301 0F95C2 setne dl
036D0304 0FB6D2 movzx edx, dl
036D0307 8815 6C35A800 mov byte ptr [A8356C], dl
是不是和我们在reflector里看到的c#源代码或者ildasm里看到的IL代码很相似呢?
AppResManager.Initialize();
AppDrawingInfo.Initialize();
uint dwGraceTime = 0;
AppResManager.Activated = NativeMethods.CheckLicenseStatus(ResManager.SKU, out dwGraceTime) != 0;
if (!CheckEula())
{
return;
}
CheckSQM();
if (!AppResManager.VerifyMSCertificate(Path.Combine(ResManager.AppDirectory, "MathRichEditNative.dll")))
{
AppResManager.ExitApp();
}
if (!AppResManager.Activated)
{
string pszProdKey = null;
switch (NativeMethods.ShowActivationWizard(IntPtr.Zero, pszProdKey, 0, dwGraceTime, ResManager.SKU))
{
case 0:
case 0xc000000c:
case 0xf000000e:
AppResManager.Activated = NativeMethods.CheckLicenseStatus(ResManager.SKU, out dwGraceTime) != 0;
if ((dwGraceTime == 0) && !AppResManager.Activated)
{
AppResManager.ExitApp();
}
goto Label_00FB;
}
if (dwGraceTime == 0)
{
AppResManager.ExitApp();
}
}
Label_00FB:
.net程序真的跟脱壳很相似,二进制代码就这么动态出现了。
==========================================================================================================
事实就是这样,我用PEBorwseDBG动态跟踪程序看到的情况:
Disassembly of JITTED Microsoft.MicrosoftMath.Application.AppMain::Main (06000097) at 0x03A48990
; Stack Size (in BYTES): 16 (0x00000010)
; Number of Parameters: 0
; Local Variables Size (in BYTES): 4 (0x00000004)
; Prologue Size (in BYTES): 27 (0x1B)
; Standard Frame
0x3A48990: 6A00 PUSH 0x0
0x3A48992: 6A00 PUSH 0x0
0x3A48994: 6A00 PUSH 0x0
0x3A48996: 680036A600 PUSH 0xA63600
0x3A4899B: E810875B0C CALL 0x100010B0
0x3A489A0: 55 PUSH EBP
0x3A489A1: 8BEC MOV EBP,ESP
0x3A489A3: 57 PUSH EDI
0x3A489A4: 56 PUSH ESI
0x3A489A5: 50 PUSH EAX
0x3A489A6: 33C0 XOR EAX,EAX
0x3A489A8: 8945F4 MOV DWORD PTR [EBP-0xC],EAX; VAR:0xC
; end of prologue
0x3A489AB: 8BF9 MOV EDI,ECX
; IL_0000: ldc.i4.1
; IL_0001: call System.Windows.Forms.Application::SetUnhandledExceptionMode()
0x3A489AD: B901000000 MOV ECX,0x1
0x3A489B2: FF15981F2904 CALL DWORD PTR [0x4291F98]
; IL_0006: call System.AppDomain::get_CurrentDomain()
; IL_000B: ldnull
; IL_000C: ldftn Microsoft.MicrosoftMath.Application.AppMain::OnUnhandledException()
; IL_0012: newobj System.UnhandledExceptionEventHandler::.ctor()
0x3A489B8: B9641BAB03 MOV ECX,0x3AB1B64
0x3A489BD: E80A9700FD CALL 0xA520CC
0x3A489C2: 8BF0 MOV ESI,EAX
0x3A489C4: FF15F8273701 CALL DWORD PTR [0x13727F8]
0x3A489CA: 8BC8 MOV ECX,EAX
0x3A489CC: 8D5604 LEA EDX,[ESI+0x4]
0x3A489CF: E852B04276 CALL DllUnregisterServerInternal + 0x0206 ; (0x79E73A26)
0x3A489D4: C7460C04213900 MOV DWORD PTR [ESI+0xC],0x392104
0x3A489DB: B8F8212904 MOV EAX,0x42921F8
0x3A489E0: 894610 MOV DWORD PTR [ESI+0x10],EAX
; IL_0017: callvirt System.AppDomain::add_UnhandledException()
0x3A489E3: 8BD6 MOV EDX,ESI
0x3A489E5: 8B01 MOV EAX,DWORD PTR [ECX]
0x3A489E7: FF9020010000 CALL DWORD PTR [EAX+0x120]
; IL_001C: call Microsoft.MicrosoftMath.Controls.ResManager::InitializeMinimum()
; IL_0021: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_0026: brfalse.s IL_0039
; IL_0028: ldstr "EncCalc-"
; IL_002D: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_0032: call System.String::Concat()
; IL_0037: br.s IL_003E
; IL_0039: ldstr "EncCalc"
; IL_003E: call Microsoft.MicrosoftMath.Controls.SingleInstance::set_AppName()
0x3A489ED: FF1580252904 CALL DWORD PTR [0x4292580]
0x3A489F3: 833D34364F0200 CMP DWORD PTR [0x24F3634],0x0
0x3A489FA: 7414 JE 0x3A48A10 ; (*+0x16)
0x3A489FC: 8B0DC8204F02 MOV ECX,DWORD PTR [0x24F20C8]
0x3A48A02: 8B1534364F02 MOV EDX,DWORD PTR [0x24F3634]
0x3A48A08: FF15C495A800 CALL DWORD PTR [0xA895C4]
0x3A48A0E: EB06 JMP 0x3A48A16
0x3A48A10: 8B05CC204F02 MOV EAX,DWORD PTR [0x24F20CC] ; <==0x03A489FA(*-0x16)
0x3A48A16: 8D1560344F02 LEA EDX,[0x24F3460] ; <==0x03A48A0E(*-0x8)
0x3A48A1C: E80FAF4276 CALL DllUnregisterServerInternal + 0x0110 ; (0x79E73930)
; IL_0043: ldarg.0
; IL_0044: ldc.i4.0
; IL_0045: ldc.i4.1
; IL_0046: call Microsoft.MicrosoftMath.Controls.SingleInstance::CheckSingleInstance()
; IL_004B: stloc.0
0x3A48A21: 6A01 PUSH 0x1
0x3A48A23: 8BCF MOV ECX,EDI
0x3A48A25: 33D2 XOR EDX,EDX
0x3A48A27: FF1530282904 CALL DWORD PTR [0x4292830]
; IL_004C: ldloc.0
; IL_004D: ldc.i4.1
; IL_004E: bne.un.s IL_0051
0x3A48A2D: 83F801 CMP EAX,0x1
0x3A48A30: 7505 JNE 0x3A48A37 ; (*+0x7)
; IL_0050: ret
0x3A48A32: E983010000 JMP 0x3A48BBA
; IL_0051: call Microsoft.MicrosoftMath.Application.AppResManager::Initialize()
0x3A48A37: FF15782C2904 CALL DWORD PTR [0x4292C78] ; <==0x03A48A30(*-0x7)
; IL_0056: call Microsoft.MicrosoftMath.Application.AppDrawingInfo::Initialize()
0x3A48A3D: FF1588522904 CALL DWORD PTR [0x4295288]
; IL_005B: ldc.i4.0
; IL_005C: stloc.1
0x3A48A43: 33D2 XOR EDX,EDX
0x3A48A45: 8955F4 MOV DWORD PTR [EBP-0xC],EDX; VAR:0xC
; IL_005D: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_0062: ldloca.s 0x01
; IL_0064: call Microsoft.MicrosoftMath.Application.NativeMethods::CheckLicenseStatus()
; IL_0069: ldc.i4.0
; IL_006A: ceq
; IL_006C: ldc.i4.1
; IL_006D: ceq
; IL_006F: call Microsoft.MicrosoftMath.Application.AppResManager::set_Activated()
0x3A48A48: 8B0D34364F02 MOV ECX,DWORD PTR [0x24F3634]
0x3A48A4E: 8D55F4 LEA EDX,[EBP-0xC] ; VAR:0xC
0x3A48A51: E80636C400 CALL 0x468C05C
0x3A48A56: 85C0 TEST EAX,EAX
0x3A48A58: 0F94C2 SETZ DL
0x3A48A5B: 0FB6D2 MOVZX EDX,DL
0x3A48A5E: 88158035A600 MOV BYTE PTR [0xA63580],DL
; IL_0074: call Microsoft.MicrosoftMath.Application.AppMain::CheckEula()
; IL_0079: brtrue.s IL_007C
0x3A48A64: FF157836A600 CALL DWORD PTR [0xA63678]
0x3A48A6A: 85C0 TEST EAX,EAX
0x3A48A6C: 7505 JNZ 0x3A48A73 ; (*+0x7)
; IL_007B: ret
0x3A48A6E: E947010000 JMP 0x3A48BBA
; IL_007C: call Microsoft.MicrosoftMath.Application.AppMain::CheckSQM()
0x3A48A73: FF157436A600 CALL DWORD PTR [0xA63674] ; <==0x03A48A6C(*-0x7)
; IL_0081: call Microsoft.MicrosoftMath.Controls.ResManager::get_AppDirectory()
; IL_0086: ldstr "MathRichEditNative.dll"
; IL_008B: call System.IO.Path::Combine()
; IL_0090: call Microsoft.MicrosoftMath.Application.AppResManager::VerifyMSCertificate()
; IL_0095: brtrue.s IL_009C
0x3A48A79: 8B0D4C364F02 MOV ECX,DWORD PTR [0x24F364C]
0x3A48A7F: 8B15EC204F02 MOV EDX,DWORD PTR [0x24F20EC]
0x3A48A85: FF15E09C3701 CALL DWORD PTR [0x1379CE0]
0x3A48A8B: 8BC8 MOV ECX,EAX
0x3A48A8D: FF15D42C2904 CALL DWORD PTR [0x4292CD4]
0x3A48A93: 85C0 TEST EAX,EAX
0x3A48A95: 7515 JNZ 0x3A48AAC ; (*+0x17)
; IL_0097: call Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
0x3A48A97: FF15301F2904 CALL DWORD PTR [0x4291F30]
0x3A48A9D: FF15B0BD6804 CALL DWORD PTR [0x468BDB0]
0x3A48AA3: 8BC8 MOV ECX,EAX
0x3A48AA5: 3909 CMP DWORD PTR [ECX],ECX
0x3A48AA7: E8BC35C400 CALL 0x468C068
; IL_009C: call Microsoft.MicrosoftMath.Application.AppResManager::get_Activated()
; IL_00A1: brtrue.s IL_00FB
; IL_00A3: ldnull
; IL_00A4: stloc.2
0x3A48AAC: 803D8035A60000 CMP BYTE PTR [0xA63580],0x0 ; <==0x03A48A95(*-0x17)
0x3A48AB3: 0F8583000000 JNE 0x3A48B3C ; (*+0x89)
; IL_00A5: ldsfld System.IntPtr::Zero()
; IL_00AA: ldloc.2
; IL_00AB: ldc.i4.0
; IL_00AC: ldloc.1
; IL_00AD: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_00B2: call Microsoft.MicrosoftMath.Application.NativeMethods::ShowActivationWizard()
; IL_00B7: stloc.3
0x3A48AB9: 6A00 PUSH 0x0
0x3A48ABB: FF75F4 PUSH DWORD PTR [EBP-0xC] ; VAR:0xC
0x3A48ABE: FF3534364F02 PUSH DWORD PTR [0x24F3634]
0x3A48AC4: 33D2 XOR EDX,EDX
0x3A48AC6: 33C9 XOR ECX,ECX
0x3A48AC8: E8AF35C400 CALL 0x468C07C
; IL_00B8: ldloc.3
; IL_00B9: brfalse.s IL_00CB
0x3A48ACD: 85C0 TEST EAX,EAX
0x3A48ACF: 740E JZ 0x3A48ADF ; (*+0x10)
; IL_00BB: ldloc.3
; IL_00BC: ldc.i4 0xC000000C
; IL_00C1: beq.s IL_00CB
0x3A48AD1: 3D0C0000C0 CMP EAX,0xC000000C ; ERR:STATUS_TIMER_NOT_CANCELED
0x3A48AD6: 7407 JE 0x3A48ADF ; (*+0x9)
; IL_00C3: ldloc.3
; IL_00C4: ldc.i4 0xF000000E
; IL_00C9: bne.un.s IL_00F3
0x3A48AD8: 3D0E0000F0 CMP EAX,0xF000000E
0x3A48ADD: 7542 JNE 0x3A48B21 ; (*+0x44)
; IL_00CB: call Microsoft.MicrosoftMath.Controls.ResManager::get_SKU()
; IL_00D0: ldloca.s 0x01
; IL_00D2: call Microsoft.MicrosoftMath.Application.NativeMethods::CheckLicenseStatus()
; IL_00D7: ldc.i4.0
; IL_00D8: ceq
; IL_00DA: ldc.i4.1
; IL_00DB: ceq
; IL_00DD: call Microsoft.MicrosoftMath.Application.AppResManager::set_Activated()
0x3A48ADF: 8B0D34364F02 MOV ECX,DWORD PTR [0x24F3634] ; <==0x03A48ACF(*-0x10), 0x03A48AD6(*-0x9)
0x3A48AE5: 8D55F4 LEA EDX,[EBP-0xC] ; VAR:0xC
0x3A48AE8: E86F35C400 CALL 0x468C05C
0x3A48AED: 85C0 TEST EAX,EAX
0x3A48AEF: 0F94C2 SETZ DL
0x3A48AF2: 0FB6D2 MOVZX EDX,DL
0x3A48AF5: 88158035A600 MOV BYTE PTR [0xA63580],DL
; IL_00E2: ldloc.1
; IL_00E3: brtrue.s IL_00FB
0x3A48AFB: 837DF400 CMP DWORD PTR [EBP-0xC],0x0; VAR:0xC
0x3A48AFF: 753B JNE 0x3A48B3C ; (*+0x3D)
; IL_00E5: call Microsoft.MicrosoftMath.Application.AppResManager::get_Activated()
; IL_00EA: brtrue.s IL_00FB
0x3A48B01: 803D8035A60000 CMP BYTE PTR [0xA63580],0x0
0x3A48B08: 7532 JNE 0x3A48B3C ; (*+0x34)
; IL_00EC: call Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
; IL_00F1: br.s IL_00FB
0x3A48B0A: FF15301F2904 CALL DWORD PTR [0x4291F30]
0x3A48B10: FF15B0BD6804 CALL DWORD PTR [0x468BDB0]
0x3A48B16: 8BC8 MOV ECX,EAX
0x3A48B18: 3909 CMP DWORD PTR [ECX],ECX
0x3A48B1A: E84935C400 CALL 0x468C068
0x3A48B1F: EB1B JMP 0x3A48B3C
; IL_00F3: ldloc.1
; IL_00F4: brtrue.s IL_00FB
0x3A48B21: 837DF400 CMP DWORD PTR [EBP-0xC],0x0; VAR:0xC ; <==0x03A48ADD(*-0x44)
0x3A48B25: 7515 JNE 0x3A48B3C ; (*+0x17)
; IL_00F6: call Microsoft.MicrosoftMath.Application.AppResManager::ExitApp()
0x3A48B27: FF15301F2904 CALL DWORD PTR [0x4291F30]
0x3A48B2D: FF15B0BD6804 CALL DWORD PTR [0x468BDB0]
0x3A48B33: 8BC8 MOV ECX,EAX
0x3A48B35: 3909 CMP DWORD PTR [ECX],ECX
0x3A48B37: E82C35C400 CALL 0x468C068
; IL_00FB: ldnull
; IL_00FC: ldftn Microsoft.MicrosoftMath.Application.AppMain::OnApplicationExit()
; IL_0102: newobj System.EventHandler::.ctor()
0x3A48B3C: B9841CAB03 MOV ECX,0x3AB1C84 ; <==0x03A48B1F(*-0x1D), 0x03A48B25(*-0x17), 0x03A48B08(*-0x34), 0x03A48AB3(*-0x89), 0x03A48AFF(*-0x3D)
0x3A48B41: E8869500FD CALL 0xA520CC
0x3A48B46: 8BC8 MOV ECX,EAX
0x3A48B48: 8D5104 LEA EDX,[ECX+0x4]
0x3A48B4B: E809AE4276 CALL DllUnregisterServerInternal + 0x0139 ; (0x79E73959)
0x3A48B50: C7410C04213900 MOV DWORD PTR [ECX+0xC],0x392104
0x3A48B57: B868552904 MOV EAX,0x4295568
0x3A48B5C: 894110 MOV DWORD PTR [ECX+0x10],EAX
; IL_0107: call System.Windows.Forms.Application::add_ApplicationExit()
0x3A48B5F: FF15D81E2904 CALL DWORD PTR [0x4291ED8]
; IL_010C: ldnull
; IL_010D: ldftn Microsoft.MicrosoftMath.Application.AppMain::OnApplicationIdle()
; IL_0113: newobj System.EventHandler::.ctor()
0x3A48B65: B9841CAB03 MOV ECX,0x3AB1C84
0x3A48B6A: E85D9500FD CALL 0xA520CC
0x3A48B6F: 8BC8 MOV ECX,EAX
0x3A48B71: 8D5104 LEA EDX,[ECX+0x4]
0x3A48B74: E8E0AD4276 CALL DllUnregisterServerInternal + 0x0139 ; (0x79E73959)
0x3A48B79: C7410C04213900 MOV DWORD PTR [ECX+0xC],0x392104
0x3A48B80: B878552904 MOV EAX,0x4295578
0x3A48B85: 894110 MOV DWORD PTR [ECX+0x10],EAX
; IL_0118: call System.Windows.Forms.Application::add_Idle()
0x3A48B88: FF15F01E2904 CALL DWORD PTR [0x4291EF0]
; IL_011D: call System.Windows.Forms.Application::EnableVisualStyles()
0x3A48B8E: FF15241F2904 CALL DWORD PTR [0x4291F24]
; IL_0122: newobj Microsoft.MicrosoftMath.Application.MainForm::.ctor()
; IL_0127: stloc.s 0x04
0x3A48B94: B9144F6804 MOV ECX,0x4684F14
0x3A48B99: E806554476 CALL LogHelp_TerminateOnAssert + 0x8054 ; (0x79E8E0A4)
0x3A48B9E: 8BF0 MOV ESI,EAX
0x3A48BA0: 8BCE MOV ECX,ESI
0x3A48BA2: E8E134C400 CALL 0x468C088
; IL_0129: ldloc.s 0x04
; IL_012B: ldarg.0
; IL_012C: callvirt Microsoft.MicrosoftMath.Application.MainForm::SetCommandArgs()
0x3A48BA7: 8BD7 MOV EDX,EDI
0x3A48BA9: 8BCE MOV ECX,ESI
0x3A48BAB: 3909 CMP DWORD PTR [ECX],ECX
0x3A48BAD: E8EA34C400 CALL 0x468C09C
; IL_0131: ldloc.s 0x04
; IL_0133: call System.Windows.Forms.Application::Run()
0x3A48BB2: 8BCE MOV ECX,ESI
0x3A48BB4: FF15841F2904 CALL DWORD PTR [0x4291F84]
; IL_0138: ret
0x3A48BBA: 6A00 PUSH 0x0 ; <==0x03A48A6E(*-0x14C), 0x03A48A32(*-0x188)
0x3A48BBC: 6A00 PUSH 0x0
0x3A48BBE: 6A00 PUSH 0x0
0x3A48BC0: 680036A600 PUSH 0xA63600
0x3A48BC5: E8E6845B0C CALL 0x100010B0
0x3A48BCA: 59 POP ECX
0x3A48BCB: 5E POP ESI
0x3A48BCC: 5F POP EDI
0x3A48BCD: 5D POP EBP
0x3A48BCE: C3 RET
简直是字节码和翻译的二进制代码一一对应,太~~~~~~~~~让人兴奋了,对于.NET程序似乎更有信心了。
[第三部分] 出彩之处就在那么一点
想了很久如何去打补丁,用OD的ODBGScript脚本倒是很方便,但谁用程序的时候还开个OD呀!
思路在一瞬间打开了,就从那个进入CheckLicenseStatus函数首地址时堆栈指示开始,
跳到找到的空白地址,记录下当前ESP,然后修改它为[ESP]--〉[ESP]-5
为什么是-5呢,因为
MOV EAX,1
对应的二进制串:
B801000000
也就是通过直接修改MathRichEditNative.dll来间接修改MATHAPP.EXE动态申请的内存,使得返回时不是
到原来的00A7B2B1,而是00A7B2AC=00A7B2B1-5
使得
**********************************前面第一部分提到的*************************************
00A7B2AF FF10 call dword ptr [eax]
00A7B2B1 C643 08 01 mov byte ptr [ebx+8], 1
//在OllyICE中手动修改EAX=1,函数返回真,程序变成已经激活!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//---------------------------------------但如何修改呢?请注意这里是动态申请的内存空间
00A7B2B5 833D F017387A 00 cmp dword ptr [7A3817F0], 0
*****************************************************************************************
变为
**********************************前面第一部分提到的*************************************
00A7B2AC B8 01000000 mov eax,1 //返回这里!!!!!!!!
00A7B2B1 C643 08 01 mov byte ptr [ebx+8], 1
00A7B2B5 833D F017387A 00 cmp dword ptr [7A3817F0], 0
*****************************************************************************************
爆破方法:只要修改MathRichEditNative.dll相关代码
<第一处>
4745650C >/$ 51 push ecx
4745650D |. 8D6424 FC lea esp, dword ptr [esp-4]
47456511 |. 890C24 mov dword ptr [esp], ecx
===>修改为
4745650C > /E9 3F3A0D00 jmp 47529F50
47456511 |. |890C24 mov dword ptr [esp], ecx
<第二处>
DLL领空末尾空白:
47529F50 51 push ecx
47529F51 50 push eax
47529F52 8D4424 08 lea eax, dword ptr [esp+8]
47529F56 8B08 mov ecx, dword ptr [eax]
47529F58 83C1 FB add ecx, -5
47529F5B 8908 mov dword ptr [eax], ecx
47529F5D C701 B8010000 mov dword ptr [ecx], 1B8
47529F63 C641 04 00 mov byte ptr [ecx+4], 0
47529F67 58 pop eax
47529F68 59 pop ecx
47529F69 51 push ecx
47529F6A 8D6424 FC lea esp, dword ptr [esp-4]
47529F6E ^ E9 9EC5F2FF jmp 47456511
二进制:
51 50 8D 44 24 08 8B 08 83 C1 FB 89 08 C7 01 B8 01 00 00 C6 41 04 00 58 59 51 8D 64 24 FC E9 9E C5 F2 FF
复制保存替换原MathRichEditNative.dll文件。
退出OLLYDBG,运行程序,现在没有30天试用提示要你激活的NAG了。
[总结]
程序破解了,补丁看来也要有技巧;
.NET程序强名保护的问题没有解决。
激活后,没有了激活菜单项